Wow, that guy doesn't know how to get to the point.
Okay what he says is overall true - you do not have device security with GrapheneOS as it is still just an Android fork. That means if you want your privacy of course you need to put physical covers over the cameras and be aware that the microphone can be turned on at any time remotely if your phone has been compromised by a cyberweapon. The only way to have device security with an Android phone is if you have air switches and can physically disconnect the camera and microphone in a way that cannot be compromised by malware.
That's it, that's basically his whole point, and a complaint that the GrapheneOS people as well as potentially the Privacy Tools people didn't take his point seriously. For GrapheneOS, well it's not nice to be told your Operating System has proven security vulnerabilities that you don't know about, and it's a tough pill to swallow when you're doing your best to make the OS more private and more secure than Android. But it is fundamentally an android fork, so all of the security and privacy benefits come from removing core components (software) that is embedded by Google. That doesn't remove attack vectors discovered by those who make cyberweapons - stuff like simple buffer overflows from unsigned ints that can result in compromising an entire device
That being said GrapheneOS is probably the best privacy-focused OS/ROM you can put on a Pixel, without seriously compromising device functionality. The only way to achieve device security at the OS level on a Pixel would be to use an OS that is not a fork of Android. So go for it, try putting Ubuntu on a new Pixel 7 Pro and see how far you get!!